 

Tor Hidden Services
How Hidden is ‘Hidden’?
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What is Tor?
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Tor is an implementation of 2nd generation onion routing

  
  
   
  
  
   
    

Originally sponsored by the US Naval Research Laboratory
Later became an Electronic Frontier Foundation pro'
Helps to prevent network traffic analysis & surveillaifce
Open network with over 2000 nodes
Anonymity tool _ _
Uses multiple layers of encryption

Multi-hop proxy —
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What I have done on Tor

 

 

 

- General Tor research

° HOMING TROLL
— Bridge discovery capability

° Hidden Services

  
  

° Helped with a few deanonymisation techniques

- Worked with JTRIG & MCR (Maths & Crypt rese

° Provided support to OP SUPERIORITY ' _'
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What is it used for?

 

 

 

 

- The Good
— People living in oppressive countries (circumvent firewalls)
— Access to free media instead of state propaganda
— People can say what they want without it being linked to-

  
   
   

- The Bad
— Bot herders use Tor to give instructions to their bots
— Allows paedophiles access content without linking themsel
— State actors can launch attacks without being attributable
— “Anonymous” & LULZSec
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What do we see?

 

 

 

- Any traffic between the client & tor is heavily encrypted.

° We can only really see traffic from an exit node to a webs'
— But we don’t know where this traffic originated from

   
 

° Still could link up aliases though

— ‘Somebody’ could still visit a dodgy forum and log in with
send an email using a known target email address (As
use SSL).
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Hidden Services

 

 

 

. Hides the IP address of a web service
, Protects content providers by anonymously hosting content
Publication of undesirable content

. Both client and server are anonymous to an observer and to each other

 

 

Normal Tor
User Website
Clear text Encrypted
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So what do we see now?

 

 

 

Not much...

All Hidden Service traffic is heavily encrypted.

Most we can gather is that one Tor node talks to an

Hiding in the crowd at its best! i
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The dot eem onion BOOM

 

- What’s this .onion business?
— TLD Tor uses to initiate a connection to a hidden service

   
   

- Example onion domain
— 16 characters in b88632 (few characters are actually missing) ‘7'—
— oqznfi3tdo6nwg3f.onion

- DNS?
— Tor uses something similar to DNS to resolve an onion_  V 7
— Onion domains ‘resolve’ to 3+ IP addresses called In _ --—:--. ' PT)
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Pieces of the Jig-Saw

 

 

 

- The actual Hidden Service (HS)
— Where the service actually originates from

- User
— The user who wishes to access the Hidden Service

  
 

- Hidden Service Directory (HSDir)
— A directory server that hold information on a Hidden Servi

- Introduction Point (IPT)
— Hidden Service’s ‘front door’ / relay

Rendezvous Point (RP)
— Client’s ‘front door’ / relay
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Fitting it together

 

 

 

1. HS selects random IPTs

2. HS uploads descriptor to HSDir

3. Client finds out about HS

4. Client requests descriptor from HSDir
5. Client selects a random RP

6. Client contacts one IPT

7. HS replies to RP

8. RP relays between client and HS

 

8‘
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Fitting it together

 

 

 

1. HS selects random lPTs

2. HS uploads descriptor to HSDir

 

3. Client finds out about HS

 

4. Client requests descriptor from HSDir

Dir
6. Client contacts one IPT I11]:
8

‘

5. Client selects a random RP

  
 

7. HS replies to RP

8. RP relays between client and HS
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Fitting it together

 

 

 

1. HS selects random lPTs

2. HS uploads descriptor to HSDir

3. Client finds out about HS

4. Client requests descriptor from HSDir
5. Client selects a random RP

6. Client contacts one IPT

7. HS replies to RP

8. RP relays between client and HS
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Fitting it together

 

 

 

1. HS selects random IPTs

2. HS uploads descriptor to HSDir

3. Client finds out about HS

4. Client requests descriptor from HSDir
5. Client selects a random RP

6. Client contacts one IPT

7. HS replies to RP

8. RP relays between client and HS
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Fitting it together

 

 

 

1. HS selects random IPTs

2. HS uploads descriptor to HSDir
3. Client finds out about HS /

4. Client requests descriptor from HSDir

5. Client selects a random RP
6. Client contacts one IPT III]:
8‘

7. HS replies to RP

8. RP relays between client and HS
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Fitting it together

 

 

 

1. HS selects random IPTs

2. HS uploads descriptor to HSDir
3. Client finds out about HS /

4. Client requests descriptor from HSDir

5. Client selects a random RP
6. Client contacts one IPT III]:
8‘

7. HS replies to RP

8. RP relays between client and HS
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Fitting it together

 

 

 

  

1. HS selects random IPTs

2. HS uploads descriptor to HSDir '
3. Client finds out about HS 

._

  
     

4. Client requests descriptor from HSDir

5. Client selects a random RP
6. Client contacts one IPT III]:
8‘

7. HS replies to RP

8. RP relays between client and HS
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Fitting it together

 

 

 

  

1. HS selects random lPTs

2. HS uploads descriptor to HSDir '
3. Client finds out about HS 

._

  
     

4. Client requests descriptor from HSDir

5. Client selects a random RP
6. Client contacts one IPT III]:
8‘

7. HS replies to RP

8. RP relays between client and HS
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Possible Exploits?

 

 

 

° Rendezvous Point (RP)
— What if we owned the RP?
— Traffic still encrypted, although only a single layer of encryption
— Still only content, don’t know who the user is or where the H8 is located
— Clients randomly select their RP so unlikely to be picked anyway

  
  

° Hidden Service Directory (HSDir)

— If we take a HSDir down, there are still many left
— Could potentially collect onion domains if we acted as a HSDir

' Client
— No real way to distinguish between a Tor user accessing the web -,7-=IE§ 9i
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- Introduction Points (IPT)

— All Hidden Service IPTs are listed on its descriptor (the thing that’s stored
on a HSDir)

— Potential for an attack on IPTs to stop them accepting connections for the
HS

— This could be done using a ‘Coil Attack’

    

_ Doesn't Stop a HS selecting another set of IPTs r
— HS can encrypt their IPTs in their descriptor (but not mﬂﬁ
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- Hidden Service (HS)
— What about exploiting the HS directly?

— Potential to identify the IP addresses hidden services
' But cant really say which one

— Identified a beaconing pattern from HS
— Dependant on collection posture

— Great for PRESTON
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Idle Client Beacons
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Idle HS Beacons
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Summary
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Tor helps people become anonymous
Very naughty people use Tor

Hidden Services hide the fact web content even exi
Near impossible to figure out who is talking to who 7—
Its complicated

Some areas for further research

Until then... Doesn’t stop us from using them =1?-
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Questions?
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